Re: [whatwg] URL: javascript URLs from Boris Zbarsky on 2012-09-28 (public-whatwg-archive@w3.org from September 2012)

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 28 Sep 2012 10:52:54 -0400
To: whatwg@lists.whatwg.org
Message-ID: <5065B9C6.7080609@mit.edu>

On 9/28/12 7:45 AM, Anne van Kesteren wrote:
> I have been looking into defining javascript URLs on top of
> http://url.spec.whatwg.org/ and would like some help. You get the
> JavaScript source by concatenating the path and fragment, with "#"
> inbetween of course, and then removing the percent encoding (for
> non-hierarchical URLs query appears to be part of the path). Then you
> feed that to the JavaScript parser/interpreter.

Sounds right.

> What I am wondering about is why e.g. %E2%84 results in a code point
> in both Gecko and Chrome and whether that is required for
> compatibility (in Opera I get U+FFFD as I expected).

I'm not sure I follow.  javascript:alert("%E2%84".charCodeAt(0)) does 
the same thing for me in Gecko, Chrome, and Opera.  What are you 
testing, exactly?

> bz also described some kind of special byte-based script in
> http://lists.w3.org/Archives/Public/public-whatwg-archive/2010Nov/0317.html
> but it appears no other browser has that.

That was for treatment of the return value, not for figuring out the 
string to execute, right?

If you're trying to define behavior for various cases of javascript:, 
you should consider defining the following, to the extent that they're 
not already defined:

1)  Whether the script executes (compare <img src> vs <iframe src>),
     but note that some UAs _do_ run the script for <img src>, but in
     a sandbox).
2)  When the script evaluates (sync vs async, say).
3)  The global object the script evaluates against.
4)  The origin and effective script origin of the script.
5)  What happens when this doesn't match the origin or effective script
     origin or whatever of the global object the script is evaluating
     against.
6)  Interactions with sandboxed iframes and CSP.  What happens when
     the parent page sets the location of a sandboxed iframe to a
     javascript: URI, for example?  I would be slightly shocked if
     there is UA interop here.
7)  Handling of the return value of the script.

Thanks for doing this!

-Boris

Received on Friday, 28 September 2012 14:53:28 UTC